b'                                                  Memorandum\n                                                  OFFICE OF THE INSPECTOR GENERAL\n                     WASHINGTON, DC 20401\n\n\n    DATE: March 31, 2005\n\nREPLY TO\n ATTN OF: David B. Schaub, Supervisory Auditor\n\n SUBJECT: Follow-up Audit Report on Improving the Controls Over GPO\'s SmartPay Program\n           at the Central Office\n\n      To: Managing Director, Plant Operations\n           Chief Human Capital Officer\n           Managing Director, Customer Services\n\n           The Office of the Inspector General\'s (OIG\'s) Office of Audits has completed a\n           follow-up audit on GPO\'s SmartPay Program at the Central Office from November\n           2004 through March 2005. Attached are the results of the audit, which found that\n           the eight recommendations stemming from the September 2002 OIG Audit Report\n           No. 02-09 Improving the Controls Over GPO\xe2\x80\x99s SmartPay Program at the Central\n           Office have been implemented.\n\n           The OIG also identified the following conditions needing improvement:\n\n                1. Internal control reviews and vulnerability assessments of the purchase\n                   card program, as they apply to two GPO departments, need to be either\n                   prepared or enhanced.\n\n                2. Written review procedures have not been established for governing the\n                   purchase card program within one department.\n\n                3. Employee return or surrender of their assigned purchase card(s) could\n                   be more easily monitored.\n\n         This report contains three recommendations to improve GPO\'s SmartPay\n         Program at the Central Office. The Chief Human Capital Officer and the Plant\n         Operations Managing Director reviewed the preliminary findings in this report and\n         have agreed with the recommendations in writing. (See Appendix II.)\n\n         Mr. David Schaub, Supervisory Auditor, and Ms. Allyson S. Brown, Auditor-in-\n         Charge, conducted this audit.\n\n\n\n\n      05-03\n      (343)\n\x0c  We also noted that there have been recent changes to credit card limitation\n  policies that occurred too late to be reviewed and analyzed for reporting within\n  the scope of this audit. Based on the impact of these changes, coupled with\n  observations made by the auditors in areas that were outside the scope of the\n  original follow-up objectives, we have included another review of the SmartPay\n  Program in our FY 2005 audit plan.\n\n  We appreciate the cooperation and courtesies extended during the audit by the\n  officials and staff of the Human Capital Office, Plant Operations, and the\n  Customer Services Department.\n\n\n\n  DAVID B. SCHAUB\n  SUPERVISORY AUDITOR\n\n\n\n\n05-03                                     2\n(343)\n\x0c                 FOLLOW-UP AUDIT ON IMPROVING CONTROLS OVER\n                  GPO\xe2\x80\x99S SMARTPAY PROGRAM AT CENTRAL OFFICE\n\n                                          TABLE OF CONTENTS\n\n\nRESULTS IN BRIEF\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.4\n\nBACKGROUND \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa66\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..7\n\nASSESSMENTS OF AUDIT RECOMMENDATIONS, REPORT #02-09\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa69\n\nFINDINGS AND RECOMMENDATIONS\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa612\n\n 1. Vulnerability Assessments and Internal Control Reviews Need to be\n   Performed\xe2\x80\xa6........................................................................................................12\n\n 2. Written Procedures Were Not Established in Engineering Services\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..15\n\n 3. Monitoring of Retired Purchase Cards Needs to be Improved\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.17\n\nAPPENDIX I: SUMMARY TABLE OF RECOMMENDATIONS\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.19\n\nAPPENDIX II: MANAGEMENT COMMENTS\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa620\n\n\n\n\n05-03                                                     3\n(343)\n\x0c        REPORT ON FOLLOW-UP AUDIT OF IMPROVING CONTROLS OVER\n             GPO\xe2\x80\x99S SMARTPAY PROGRAM AT CENTRAL OFFICE\n\n                                    RESULTS IN BRIEF\n\n\n  The Government Printing Office (GPO) Office of the Inspector General (OIG) has\n  completed a Follow-up Audit Report on GPO\xe2\x80\x99s SmartPay Program at the Central\n  Office from November 2004 through March 2005.\n\n  The primary objective of this audit was to verify that management took the agreed-\n  upon actions based on the eight original audit recommendations to ensure that\n  adequate management controls were maintained over the GPO SmartPay Program\n  in the areas of GPO outlined by OIG Audit Report No. 02-09.\n\n  The auditors concluded that GPO management took the agreed-upon actions based\n  on the eight original recommendations to ensure that adequate management controls\n  were maintained over the GPO SmartPay Program within the areas outlined by Audit\n  Report No. 02-09.\n\n  In the course of completing all the objectives of the follow-up audit, the OIG identified\n  the following conditions needing improvement:\n\n        \xe2\x80\xa2   Internal control reviews and supporting vulnerability assessments (and/or risk\n            analysis) of two departments (Engineering Services and Workforce\n            Development, Education and Training) need to be developed in order to allow\n            for effective evaluation of the purchase card program in their respective areas.\n\n        \xe2\x80\xa2   Written review procedures have not been established for governing the\n            purchase card program and how it is to be administered in one department\n            (Engineering Services).\n\n        \xe2\x80\xa2   Employee return or surrender of their assigned purchase card(s) was not\n            being carefully monitored. GPO Form 2938, the form used for sign-off\n            approval of relinquishing GPO-owned items when an employee retires (or is\n            otherwise separated) can be amended to account for surrender of their\n            purchase cards.\n\n  MAJOR RECOMMENDATIONS\n\n  To improve the internal controls over the GPO SmartPay Purchase Card Program in\n  these areas, we recommend that the Plant Operations Managing Director and the\n  Chief Human Capital Officer take the following steps:\n\n05-03                                          4\n(343)\n\x0c        1. Ensure that written internal control reviews and periodic vulnerability\n           assessment or risk analysis of the SmartPay purchase card program are\n           performed within their respective departments;\n\n        2. The Plant Operations Managing Director should ensure that written\n           procedures and standard operating procedures are developed for\n           Engineering Services and serve as an effective internal control measure;\n           and\n\n        3. The Chief Human Capital Officer should take steps to amend GPO Form\n           2938, Employee Checkout Sheet, to allow for documented return and\n           verification of purchase cards when a GPO employee retires, transfers, or\n           is otherwise separated from the working area to which they were assigned\n           when the card was issued to them.\n\n  MANAGEMENT COMMENTS\n\n  The Chief Human Capital Officer, in a memorandum dated March 25, 2005, has\n  agreed with our findings and recommendations. The Director, Plant Operations,\n  in a memorandum dated March 28, 2005, has also agreed with our findings and\n  recommendations (See Appendix II).\n\n\n\n\n05-03                                    5\n(343)\n\x0c                                     BACKGROUND\n\n\n  The Purchase (Charge) Card, also known as the purchase card or the commercial\n  credit card, is used to purchase supplies and services in accordance with the\n  Materials Management Acquisition Regulation (MMAR). The purchase card is the\n  preferred procurement and payment tool for micro-purchases, as prescribed in\n  MMAR Chapter 13.2. A "micro-purchase" is an acquisition of supplies or services\n  in which the aggregate amount for a single purchase does not exceed $2,500,\n  except in the case of construction where the limit is $2,000. The purchase card\n  may be used as an ordering and payment mechanism, not a contracting\n  mechanism, for purchases above the micro-purchase threshold. When used as\n  an ordering and payment mechanism, contractors may bill against the purchase\n  card. When the order is shipped, the contractor bills the purchase card account\n  instead of issuing an invoice directly to the agency/organization. Purchase cards\n  for GPO are issued (and the program is administered) by Bank of America.\n\n  To allow agencies/organizations the maximum latitude, the GSA SmartPay\xc2\xae\n  Master Contract excludes only a few categories of purchases. They are:\n\n        \xe2\x80\xa2   long-term rental or lease of land or buildings;\n        \xe2\x80\xa2   travel or travel-related expenses (excluding conference rooms, meeting\n            spaces and local transportation services such as Metro fare cards, subway\n            tokens, etc.); and\n        \xe2\x80\xa2   cash advances.\n\n  Further restrictions for GPO cardholders have been defined in GPO Instruction\n  805.27A, Obtaining, Using, and Safeguarding Commercial Credit Cards.\n\n  GPO has been reorganized in several departmental areas since Audit Report\n  #02-09 was issued. The relevant portion of Materials Management Service\n  (MMS) has been absorbed by Customer Services, and General Procurement is\n  now part of Acquisition Services. The Personnel Department, of which the\n  Training and Career Development Branch was a part, has been reorganized as\n  the Human Capital Office. The Training and Career Development Branch has\n  been renamed as the Workforce Development, Education, and Training Branch.\n  The Pipe and Sheet Metal Branch remains as a part of the Facilities Division,\n  which is a part of Engineering Services, which is itself a part of Plant Operations\n  (formerly known as Production Services).\n\n\n\n\n05-03                                       6\n(343)\n\x0c                     OBJECTIVES, SCOPE AND METHODOLOGY\n\n\n  The primary objective of this follow-up audit was to determine whether the eight\n  recommendations concerning the controls over GPO\xe2\x80\x99s SmartPay purchase card\n  program that were made to three different GPO departments in OIG Audit Report\n  No. 02-09 Report on Improving the Controls Over GPO\'s SmartPay Program at\n  the Central Office were implemented.\n\n  As a part of this follow-up audit, the internal controls governing GPO\'s SmartPay\n  Program at the Central Office including protective measures against fraud, waste\n  and abuse were reviewed and evaluated.\n\n  The audit was performed in accordance with generally accepted Government\n  auditing standards issued by the Comptroller General of the United States, and\n  included such tests as were considered necessary under the circumstances. The\n  scope of the audit included a review of management responses and management\n  actions, including changes to the GPO organizational structure, since issuance of\n  the original audit report No. 02-09 on September 9, 2002.\n\n  This audit fieldwork was conducted between the months of November 2004 and\n  March 2005. To meet the objectives of the audit, the audit team:\n\n        \xe2\x80\xa2   Examined and verified a test sample of purchase card charges performed\n            by Plant Operations and Acquisition Services for December 2004;\n\n        \xe2\x80\xa2   Compared and contrasted two listings of current GPO Central Office\n            purchase card cardholders for the months of December 2004 and\n            January 2005 to ensure that internal controls were practiced;\n\n        \xe2\x80\xa2   Interviewed and conducted conferences with appropriate management\n            officials in Human Capital Office, Plant Operations, and Customer\n            Services;\n\n        \xe2\x80\xa2   Obtained and reviewed prior audit workpapers, audit recommendations,\n            and management\xe2\x80\x99s actions on implementing the recommendations;\n\n        \xe2\x80\xa2   Interviewed officials in Engineering Services, Acquisition Services, and\n            Workforce Development, Education, and Training Branch, and determined\n            whether and to what extent the recommendations were implemented; and\n\n        \xe2\x80\xa2   Developed a flow chart of the purchase card process.\n\n05-03                                       7\n(343)\n\x0c  In addition, we reviewed the following publications and instructions that contained\n  policy and procedures followed by GPO personnel:\n\n        \xe2\x80\xa2   GPO Instruction 710.4, Audit Follow-Up, Resolution, and Management\n            Decisions, to identify the established guidelines governing OIG audit\n            follow-up and audit resolution;\n\n        \xe2\x80\xa2   GPO Instruction 805.27A, Obtaining, Using and Safeguarding Commercial\n            Credit Cards, to identify the established guidelines and procedures for\n            credit card purchases for supplies or services;\n\n        \xe2\x80\xa2   GPO Instruction 825.18A, Internal Control Program, to identify policies,\n            standards, and responsibilities for conducting vulnerability assessments\n            and internal control reviews of GPO programs and activities; and\n\n        \xe2\x80\xa2   GPO Publication 1215.1, Program to Eliminate Fraud, Waste and Abuse in\n            Government Printing Office Programs and Operations, to advise GPO\n            employees of this program and assign responsibilities for implementing it.\n\n\n\n\n05-03                                        8\n(343)\n\x0c                  ASSESSMENT OF AUDIT RECOMMENDATIONS,\n                           AUDIT REPORT #02-09\n\n\n   The OIG made the following observations and performed the following tests for each\n   of the eight recommendations from report #02-09 (complete text of each\n   recommendation is in Appendix I). We found that corrective action had been taken\n   to improve the policies and procedures in providing reasonable assurance and\n   safeguards against waste, loss and abuse regarding the SmartPay purchase card\n   program in the GPO departments described as follows:\n\n      Recommendation -01: A review of documentation subsequent to the audit\n      report indicated that a memorandum had been prepared (dated September 4,\n      2003) by the Director, Production Services (now Plant Operations) attesting to\n      the fact that they had reconciled prior receiving tickets to the disputed items.\n      This claim was further supported by an e-mail from the former Chief of the\n      General Procurement Division (dated September 30, 2002), forwarding a\n      statement by his personnel that GPO does not owe any past due amounts to\n      Bank of America. Management officials have reconciled the receiving tickets\n      by October 2002, and the OIG considers this recommendation closed.\n\n      Recommendation -02: We reviewed GPO Instructions and Directives since the\n      audit report and found that the Director of MMS had developed GPO Instruction\n      805.27A, Obtaining, Using, and Safeguarding Commercial Credit Cards, issued\n      November 5, 2002. This Instruction provides written guidelines on reconciling\n      disputed items by MMS (and subsequent Customer Services) credit card\n      holders. We also obtained a copy of Draft Instruction 805.27B, which included\n      current updates to Instruction 805.27A. Both policies detailed the process of\n      reconciling individual disputed items. With the issuance of GPO 805.27A and\n      the subsequent policy change being done to update and improve the\n      reconciling of disputed items, the OIG has determined that this audit\n      recommendation has been successfully implemented.\n\n      Recommendation -03: To satisfy the first part of this recommendation, the\n      auditor interviewed an Acquisition Services official. The official stated that GPO\n      policy has been changed in this area. Acquisition Services now reviews\n      purchase requests before items are placed on purchase orders; if the items are\n      $500 or less, they are authorized for purchase card charges in that area of\n      GPO, but are not placed on a purchase order. To satisfy the second part of this\n      recommendation, the auditor reviewed supporting records for the audit report\n      which indicated that there were 33 total purchase card cardholders in GPO\'s\n      Central Office, of whom 15 cardholders could be identified as supervisors. We\n      obtained current listings which totaled 85 purchase card cardholders as of\n05-03                                       9\n(343)\n\x0c        January 2005. A judgment sample of 40 cardholders was performed, and their\n        positions were traced to current title identification per GPO\xe2\x80\x99s employee listing\n        maintained on Microsoft Outlook e-mail software. At least 25 of the 40\n        cardholder names sampled were identified as supervisors. As a result,\n        corrective action had been taken to both reduce small purchases under $500\n        and also to issue more credit cards to supervisors in implementing this\n        recommendation.\n\n        Recommendation -04: An observation of activities by the Chief, Facilities\n        Division (of which the Pipe and Sheet Metal Branch is a part) confirmed that\n        purchase card procurements by branch employees are being monitored. We\n        also obtained a sample of the monthly reconciliations of purchase card\n        statements that is maintained in their database, and verified its accuracy. As a\n        result, corrective action has been taken to ensure monitoring of credit card\n        purchases in implementing this recommendation.\n\n        Recommendation -05: In a September 4, 2002 letter sent to the OIG from\n        Engineering Services, the Chief stated that the $500 transaction limit was being\n        raised to $1,000 and that it would eventually be raised to $2,500. We also\n        reviewed GPO instructions and directives since the audit report; as previously\n        noted, the Director of MMS issued GPO Instruction 805.27A. This Instruction\n        provided written guidelines that increased the single purchase transaction limit\n        to $2,500 for all purchase card cardholders. As a result, corrective action has\n        been taken to ensure an increase to the $500 transaction limit in implementing\n        this recommendation.\n\n        Recommendation -06: A review of forms currently in use by Workforce\n        Development, Education and Training Branch determined that GPO no longer\n        uses GPO Form 182, of which Copy 9 was a part. It has been replaced by\n        GPO Form 2917 Request, Authorization, Agreement, and Certification of\n        Training. Part 2 of this form, \xe2\x80\x9cEvaluation,\xe2\x80\x9d is being used by trainees to evaluate\n        their training and is now being tracked in the Workforce Development office\n        database. We also observed that the branch is developing an internal report, to\n        be called the Course and Attendance Training Report (CAT), to monitor course\n        attendance. As a result, corrective action has been taken to ensure certification\n        of training in implementing this recommendation.\n\n        Recommendation -07: A review of the current listing of authorized GPO\n        purchase card cardholders for the months of December 2004 and January\n        2005 indicated that credit limits have been substantially increased. We\n        confirmed that the stated credit limit amounts were actually monthly limits.\n        Thus a credit limit of $100,000 as stated on the January 2005 listing of\n        cardholders was actually an annual limit of $1.2 million. The Customer\n        Services Controller, who had recently performed a review of purchase card use\n        within Engineering Services as of November 2004, noted that no cardholders\n05-03                                       10\n(343)\n\x0c        had exceeded their annual limits because the limits were so high. We selected\n        a judgmental sample of 40 credit card charges by 10 cardholders in Central\n        Office for the month of December 2004. All charges were within the\n        established limits. As a result, corrective action has been taken to ensure that\n        cardholders do not exceed annual dollar limits in implementing this\n        recommendation.\n\n        Recommendation -08: As noted previously, the current listing of authorized\n        GPO purchase card cardholders for January 2005 indicated that credit limits\n        substantially increased. We reviewed the listing of cardholders at the time of\n        the original audit and noted that the annual credit limits for the two purchasing\n        agents cited in Audit Report #02-09 were $50,000 and $75,000 respectively.\n        The new credit limits for purchasing agents in Acquisition Services as of\n        January 2005 indicated that three purchase card cardholders identified as\n        purchasing agents on this listing had monthly dollar limitations of $100,000,\n        $100,000, and $40,000 respectively. As a result, corrective action has been\n        taken to ensure that annual dollar limitations were raised for purchasing agents\n        in implementing this recommendation.\n\n\n\n\n05-03                                       11\n(343)\n\x0c                    FINDINGS AND RECOMMENDATIONS\n\n\n              1. VULNERABILITY ASSESSMENTS AND INTERNAL\n                 CONTROL REVIEWS NEED TO BE PERFORMED\n\n  BACKGROUND\n\n  GPO Instruction 825.18A, Internal Control Program was issued in May 1997. It\n  prescribes policies and standards and also assigns responsibilities for conducting\n  vulnerability assessments and internal control reviews of GPO programs and\n  activities. This Instruction cites that the Public Printer has overall responsibility to\n  ensure that an effective internal control structure is both established and\n  maintained, by GPO managers, for all programs and functions. It also tasks the\n  Deputy Public Printer with ensuring that all such vulnerability assessments and\n  annual internal control reviews are performed.\n\n  FINDING\n\n  Adequate internal control reviews were not fully developed for the SmartPay\n  Program. The development of adequate control reviews serves as an effective\n  internal control measure to provide reasonable assurance that government\n  resources and assets are safeguarded against fraud, waste, abuse and misuse.\n  In addition, neither a vulnerability assessment nor a general risk analysis was\n  performed of the SmartPay Program and how it operates within Engineering\n  Services (Plant Operations), or within Workforce Development, Education, and\n  Training Branch (Human Capital).\n\n  Vulnerability assessments and risk analyses identify controls that may be weak\n  (need to be strengthened), nonexistent (need to be developed) or are redundant, as\n  well as verifying those that are adequate. In addition, these types of analyses serve\n  as a control device for the evaluation and measurement of controls that are already\n  established and in place. Such assessments would provide an effective reporting\n  measure to determine whether the SmartPay Program\xe2\x80\x99s objectives have been\n  achieved, and the allocations of monies spent have been adequately accounted.\n\n  GPO Instruction 825.18A Internal Control Program, Part 3, "Policy" states:\n\n        "GPO shall maintain effective systems of accounting and manage-\n        ment control. GPO\'s managers should continuously monitor and\n        improve the effectiveness of management controls associated with\n        their programs, functions, and activities, through the performance of\n        vulnerability assessments and internal control reviews."\n05-03                                      12\n(343)\n\x0c   Within Part 5, "Definitions" of Instruction 825.18A, these terms are defined:\n\n        "a. Vulnerability Assessment \xe2\x80\x93 a review of the susceptibility of a\n        program, function, or activity to loss or unauthorized use of\n        resources, errors in reports and information, illegal or unethical acts,\n        and/or adverse or unfavorable public opinion.\xe2\x80\x9d\n\n        "b. Internal Control Review \xe2\x80\x93 a detailed examination of the internal\n        controls of the activity or program to determine whether adequate\n        control measures exist and are implemented to prevent or detect the\n        occurrence of potential risks in a cost-effective manner. Internal\n        control reviews are often predicated upon the findings associated\n        with the vulnerability assessments.\xe2\x80\x9d\n\n   GPO management in Engineering Services was not aware that internal control\n   reviews and periodic vulnerability assessments (or a risk analysis assessment)\n   needed to be performed on the SmartPay Program. Engineering Services\n   officials were unfamiliar with the overall concept of internal control reviews and/or\n   vulnerability assessments, never having performed one as it is defined.\n   In a second department, Workforce Development, Education and Training Branch,\n   the Chief was aware of the need for these reviews. However, the department has\n   undergone extensive reorganization in the past year, including the hiring of a new\n   director and numerous other new-hires. An internal control review or vulnerability\n   assessment has yet to be conducted in this department.\n\n   When a vulnerability assessment or a general risk analysis is neither developed\n   nor performed, an essential reporting measurement device is not established to\n   create an effective internal control environment. When adequate internal control\n   reviews are not performed or they are not periodically reviewed in an organized\n   systematic manner, GPO can be exposed to increased opportunities for fraud,\n   waste, and abuse.\n\n   For example, when OIG auditors requested a listing of all current GPO purchase\n   cards in December 2004, a total of 21 cards were listed for Engineering Services.\n   However, these card listings were associated with only 14 employee names. If a\n   vulnerability assessment or risk analysis had reviewed cardholders internally\n   within Engineering Services as part of an internal control review program, these\n   discrepancies and potential exposure to fraud, waste and abuse could have been\n   detected. The Agency Organization Program Controller for GPO corrected this\n   listing in January 2005.\n\n   As another example, the above-mentioned review of the December 2004 listing of\n   purchase cards indicated that there were no cardholders in the Workforce\n   Development, Education and Training Branch. After subsequent reviews and\n   corrections were made to the list by Acquisition Services, this listing showed one\n   cardholder, who should have been (but was not) included on the prior listing, and\n05-03                                     13\n(343)\n\x0c  whose credit limit was stated at $1.5 million. An effective vulnerability\n  assessment or risk analysis should have detected this very high limit and, as part\n  of an effective internal control program, would have ensured that it was reported\n  to Acquisition Services to assist them in maintaining the overall control\n  effectiveness of purchase cards.\n\n  RECOMMENDATION\n\n  The Plant Operations Managing Director and the Chief Human Capital Officer\n  should ensure that a periodic vulnerability assessment or risk analysis of the\n  SmartPay Program is performed within each of their respective departments to\n  support an effective internal control review program as required by GPO Instruction\n  825.18A (0503-01).\n\n  MANAGEMENT COMMENTS\n\n  Management agreed with the finding and the recommendation (See Appendix II).\n\n\n\n\n05-03                                      14\n(343)\n\x0c                    2. WRITTEN PROCEDURES WERE NOT\n                   ESTABLISHED IN ENGINEERING SERVICES\n\n  BACKGROUND\n\n  Adequate written procedures provide clear concise guidelines and instructions.\n  Written procedures ensure uniformity of procedures and serve as an effective\n  evaluation tool. In addition, written procedures serve as an effective reporting\n  measure to determine if the program operation objective(s) have been achieved\n  and specify the responsibility and accountability for program operations results.\n  These procedures can be particularly important when a program crosses\n  departmental lines, making duties and functions less clear-cut.\n\n  FINDING\n\n  Written policies or Standard Operating Procedures (SOPs) were not developed\n  for the purpose of monitoring and administering the Purchase Card Program\n  within Engineering Services. While we verified that Engineering Services is\n  monitoring and accounting for employees\' use of the purchase card, the lack of\n  written policies or SOPs increases opportunities for misunderstanding and\n  potential misuse.\n\n  As GPO\'s workforce diversifies while it changes, the need for reliance on\n  adequate written policies and SOPs will increase to accommodate new-hires\n  unfamiliar with GPO and/or use of the government purchase card.\n\n  Standard 4 of GPO Instruction 825.18A requires that:\n\n        "Managers should ensure that appropriate authority, responsibility,\n        and accountability are defined and delegated to accomplish the\n        mission of the organization, and that an appropriate organizational\n        structure is established to effectively carry out program\n        responsibilities."\n\n  GPO Instruction 805.27A Obtaining, Using and Safeguarding Commercial Credit\n  Cards requires each cardholder and approving official to complete a minimum of\n  two hours\xe2\x80\x99 training in basic procurement and how to use the purchase cards.\n  However, once the training has been completed, cardholders have only the other\n  guidelines of this Instruction for reference regarding policy and procedures at a\n  GPO-wide level. The department now charged with overseeing the purchase card\n  program as a whole (Acquisition Services) has acknowledged that GPO Instruction\n  805.27A needed to be updated, and has issued a revised draft for management\n  comments (GPO Instruction 805.27B). However, the process of reviewing,\n  approving and summarizing credit card usage for all Engineering Services\n  cardholders is not documented.\n\n\n05-03                                    15\n(343)\n\x0c  When adequate written procedures are not established, opportunities increase\n  for fraud, waste, misuse, and abuse of government resources. A review of the\n  general listing of GPO purchase card cardholders as of January 2005 identified\n  a total of 24 cardholders in Engineering Services. We noted that 15 of these\n  cardholders (or 63 percent) were not shown on the December 2004 listing, even\n  though they had cards at that time.\n\n  Also, the justification for changes in policy, such as increases in credit limits,\n  may be overlooked. In this situation, 16 of the 21 purchase card listings for\n  Engineering Services in December 2004 had credit limits of $25,000 or less.\n  However, of the 24 Engineering cardholders reported in January 2005, 21 (or\n  88 percent) were now listed as possessing cards with credit limits of $100,000.\n  We attempted to determine when or how long the 16 names new to the list had\n  possessed these credit limits, but information was not readily available.\n\n  With such large amounts of purchasing power available, it is essential that\n  cardholders are both made aware of the regulations and restrictions associated\n  with the purchase card and also that the review and approval process is\n  documented, not only as established by the agency in GPO Instruction 805.27A,\n  but also within their own department. The subject of increasing the individual\n  card limits is not addressed by GPO Instruction 805.27A. If a cardholder\xe2\x80\x99s credit\n  limit is to be changed, especially in the event of a substantial increase, the\n  existence of written policies and procedures in individual GPO departments\n  would assist greatly in documenting this process.\n\n  RECOMMENDATION\n\n  The Plant Operations Managing Director should ensure that written policies and\n  standard operating procedures are developed for the purchase card program in\n  order to serve as an effective internal control measure to complement GPO\n  Instruction 805.27A, including any subsequent revisions (0503-02).\n\n   MANAGEMENT COMMENTS\n\n   Management agreed with the finding and the recommendation (See Appendix II).\n\n\n\n\n05-03                                     16\n(343)\n\x0c                3. MONITORING OF RETIRED PURCHASE CARDS\n                          NEEDS TO BE IMPROVED\n\n  BACKGROUND\n\n  When a GPO employee retires or is separated, they are required to complete\n  GPO Form 2938 Employee Checkout Sheet. It is a checklist for returning GPO\n  office property before they leave GPO permanently. On the reverse side of this\n  form, there is a section titled \xe2\x80\x9cTravel Office\xe2\x80\x9d for employees to sign that accounts\n  for their return of a travel credit card issued to them. There is no mention of a\n  purchase card.\n\n  FINDING\n\n  Documented proof of employee return or surrender of their assigned purchase\n  card(s) was not being carefully monitored. Our analysis of the listing of GPO\n  employee purchase card holders for December 2004 revealed that 42 of the 75\n  employees listed for Central Office (or 56 percent) were no longer employed at\n  GPO.\n\n  Standard 7 of GPO Instruction 825.18A requires that:\n\n        "Transactions should be promptly recorded, properly classified, and\n        accounted for in order to prepare timely accounts and reliable financial\n        and other reports. The documentation for transactions, management\n        controls, and other significant events must be clear and readily\n        available for examination."\n\n  GPO Form 2938 does not contain any portion that would account for the timely\n  collection of purchase cards from individual cardholders that could be verified by\n  the Acquisitions Office, the office that administers the SmartPay Purchase Card\n  Program. Although Form 2938 does contain a subsection that provides for\n  employee return of a travel credit card, this is a type of credit card that is\n  separate and distinct from a purchase card. Also, GPO Instruction 805.27A,\n  which governs the safeguarding of GPO purchase cards, is silent on the subject\n  of returning or relinquishing a purchase card upon employee retirement,\n  separation or other reason (such as transferring to another department).\n\n  Since the Acquisitions Office did not receive or record timely notification of\n  purchase card cardholders separating from GPO on a systematic basis, their\n  recordkeeping of current cardholders became outdated. For example, when we\n  reviewed a listing of GPO purchase cards for December 2004, we noticed the\n  name of a former OIG employee who had retired in April 2004. This former\n  employee was still on the purchase card listing, with a $50,000 credit limit. The\n  Chief of Acquisition Services recognized this employee\'s name and verified that\n  his card had been personally relinquished at the time of his April 2004\n\n05-03                                      17\n(343)\n\x0c  retirement. The listing of cardholders for January 2005 confirmed this former\n  employee\xe2\x80\x99s removal from the list. However, when adequate control procedures\n  are not established to support accurate recordkeeping, opportunities increase for\n  fraud, waste, misuse and abuse of government resources.\n\n  RECOMMENDATION\n\n  The Chief Human Capital Officer should take steps to ensure that GPO Form 2938\n  be revised to include an area where an employee\'s relinquishing of their purchase\n  card can be identified and recorded on a timely basis (0503-03).\n\n  MANAGEMENT COMMENTS\n\n  Management agreed with the finding and the recommendation (See Appendix II).\n\n\n\n\n05-03                                    18\n(343)\n\x0c                                                                       APPENDIX I\n                                                                       Page 1 of 1\n                     SUMMARY TABLE OF RECOMMENDATIONS\n                            AUDIT REPORT #02-09\n\n                     Audit Recommendation                            Status\n0209-01: The Director, Materials Management Service,\nshould ensure that the Chief, General Procurement Division\nreconciles the receiving tickets to the disputed ticket items      Implemented\nas far back as the inception of the SmartPay Program in\n1998.\n0209-02: The Director, Materials Management Service,\nshould ensure that the Chief, General Procurement Division,\ndevelops and implements a new policy on reconciling                Implemented\ndisputed items by MMS credit card holders.\n0209-03: The Director, Materials Management Service,\nshould ensure that the Chief, General Procurement Division,\nreduces the number of future small purchases under $500\nprocured by MMS credit card holders and issues more credit         Implemented\ncards to supervisors of departments at the Central Office in\norder to procure future small purchases economically and\ntimely.\n0209-04: The Director, Engineering Service, should ensure\nthat the Chief, Facilities Division monitors future credit card    Implemented\npurchases by the Supervisor, Pipe and Sheet Metal Branch.\n0209-05: The Director, Engineering Service, should ensure\nthat the Chief, Facilities Division submits a request to MMS\nto increase the $500 transaction limit to facilitate the future    Implemented\nneeds of Pipe and Sheet Metal Branch.\n0209-06: The Director, Personnel, should ensure that the\nChief, Training and Career Development Branch receives a\nCopy 9 of the Request, Authorization, Agreement and\nCertification of Training form before authorizing payment on       Implemented\nfuture training courses or uses other alternate means of\ncertification of training, such as making telephone calls to\nthe employees\xe2\x80\x99 supervisors.\n0209-07: The Director, Materials Management Service,\nshould ensure that the Chief, General Procurement Division\nperiodically reviews the annual dollar limitations of the credit   Implemented\ncard holders to ensure the holders do not exceed the\nestablished annual dollar limitations.\n0209-08: The Director, Materials Management Service,\nshould ensure that the Chief, General Procurement Division\nconsiders either raising the annual dollar limitations for the     Implemented\ntwo credit card holders (purchasing agents) or decreasing\ntheir workload.\n05-03                                         19\n(343)\n\x0c\x0c\x0c\x0c\x0c'